Amazon Web Services - Receive - Not Authorized To Perform DescribeSecurityGroups - When Creating New Project in AWS CodeBuild - Stack Overflow
Amazon Web Services - Receive - Not Authorized To Perform DescribeSecurityGroups - When Creating New Project in AWS CodeBuild - Stack Overflow
t in AWS CodeBuil…
I am trying to create a new project in AWS CodeBuild. Every time I attempt to I receive the
following error:
12
Not authorized to perform DescribeSecurityGroups
Sorted by:
3 Answers
Highest score (default)
You are likely missing the VPC related permissions in your service role. You need to update the
role to have the following policy:
13
https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-
based-access-control.html#customer-managed-policies-example-create-vpc-network-interface
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 1/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…
],
"Resource": "arn:aws:ec2:{{region}}:{{account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{region}}:{{account-id}}:subnet/[[subnets]]"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
Share Follow edited Apr 5, 2019 at 12:31 answered Oct 19, 2018 at 5:46
JamesFrost Subin Mathew
687 11 20 2,055 1 13 23
It means that associated IAM Role doesn't have attached policy allowing CodeBuild to
describe Security Groups.
7
If you trying to create a new Build project and have selected "New Service Role" (Create a service
role in your account), and in the same time added VPC, Subnets and Security Groups in Additional
Configuration section - you will get "Not authorized to perform DescribeSecurityGroups" error.
"Version": "2012-10-17",
"Statement": [
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
It's not allowing anything VPC/EC2 related, so you can either pre-create correct policy and use it,
or let AWS create project without VPC, and modify new policy by adding required services in
Join Stack Overflow to find the best answer to your technical question, help others
Sign up
answer"Action"
theirs. block:
https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 2/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
I had this same issue when using cloudformation. The issue was the IAM role was being created
before CodeBuild started creation, but the Policy attached the IAM role was being created after
3 CodeBuild was created.
The remedy for this was to add a DependsOn to CodeBuild saying it needs the Policy to be created
first.
Ex:
CodeBuildIamRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'CodeBuildAutomatedTestingRole'
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Path: /
CodeBuildIamPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:GetObjectVersion'
- 's3:ListBucket'
Effect: Allow
https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 3/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'ec2:CreateNetworkInterface'
- 'ec2:DescribeDhcpOptions'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeSecurityGroups'
- 'ec2:DescribeVpcs'
- 'ec2:CreateNetworkInterfacePermission'
- 'ecr:*'
Join Stack Overflow to find the best answer to your technical question, help others
Sign up
answer theirs.
https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 4/4